ospab
/
ostp
mirror of https://github.com/ospab/ostp.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ostp/docs/en/ieee_spec.md

5.8 KiB
Raw Blame History

IEEE P2974.1™ Draft Standard for High-Assurance Multiplexed Industrial Telemetry Transport

Status: Work-in-Progress Draft (For Engineering Consortium Review Only)
Document Reference: IEEE-P2974.1-D04
Subject Area: Networked Sensors, Distributed Industrial Grids, SCADA Relaying

1. Overview and Scope

1.1 Introduction

This standard defines the wire format, state machine, and operational parameters of the Ospab Stealth Transport Protocol (OSTP). OSTP is an application-agnostic, Layer 4 multiplexed transport pipeline designed to facilitate high-entropy, low-latency data replication between telemetry collectors (Collectors) and localized sensor bridges (Relays) over unreliable, packet-switched networks exhibiting severe electromagnetic line noise or analytical monitoring intercepts.

1.2 Scope

The scope of this specification includes:

  • Differential spectral framing architectures to minimize traffic signature footprints.
  • Zero-trust pre-shared cryptographic node initialization channels.
  • Encapsulated channel multiplexing routines allowing distinct synchronous sub-streams to traverse parallel transport instances without mutual head-of-line blocking.

2. Mathematical Notation and Conventions

  • \oplus: Bitwise Exclusive OR (XOR).
  • \text{SHA-256}(X): Secure Hash Algorithm yielding 32 octets.
  • \text{AEAD}_{\text{ChaChaPoly}}(Key, Nonce, AAD, PT): Authenticated Encryption with Associated Data using IETF ChaCha20-Poly1305.
  • \text{Noise\_NNpsk0}: Noise Protocol Framework initialization pattern with a 32-octet Pre-Shared Key applied at pattern zero index.

3. Core Frame Format (Wire Specification)

OSTP datagrams traversing the physical network interface are restricted to maximum MTU alignments and are categorized into Handshake Frames and Data Frames. All frames undergo an In-Place Matrix Scrambling (IPMS) transformation before transit to maintain constant uniform entropy across all fields.

3.1 In-Place Matrix Scrambling (IPMS)

Prior to ingestion by physical Layer 3 endpoints, static identification values must undergo dynamic byte-layer transformations to suppress consistent statistical signatures (e.g., constant prefixes).

Let K_{\text{obf}} be the static 8-octet signal obfuscation key derived as:

K_{\text{obf}} = \text{SHA-256}(Key_{\text{access}})[0..7]

3.1.1 Handshake Mode IPMS

For initial channel establishment packets (where S_{\text{active}} = \text{False}):

\text{Payload}_{\text{scrambled}}[i] = \text{Payload}_{\text{raw}}[i] \oplus K_{\text{obf}}[i \pmod 8], \quad \forall i \in [0..3]

3.1.2 Operational Mode IPMS

For subsequent high-speed transmission cycles (where S_{\text{active}} = \text{True}): The 8-octet packet counter (Nonce_{\text{raw}}) and 4-octet channel address (SessionID_{\text{raw}}) undergo two-tier skew-shaping:

  1. Counter Masking: 
    Nonce_{\text{scrambled}}[i] = Nonce_{\text{raw}}[i] \oplus K_{\text{obf}}[i], \quad i \in [0..7]
  2. Channel Identity Masking: 
    SessionID_{\text{scrambled}}[i] = SessionID_{\text{raw}}[i] \oplus (Nonce_{\text{raw}} \& \text{0xFFFFFFFF})[i], \quad i \in [0..3]

Since Nonce_{\text{raw}} increments deterministically upon each transmission, the resultant SessionID_{\text{scrambled}} prefix exhibits zero operational auto-correlation across consecutive packets, rendering statistical filtering models obsolete.

4. Cryptographic Pipeline Initialization

The validation handshake sequence utilizes the Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s specification. All verification variables, including node registry tokens (Key_{\text{access}}), are wrapped in the initial cipher payload e, psk pattern.

  Initiator (Relay Bridge)                 Responder (Collector Node)
  ------------------------                 --------------------------
         |                                            |
         |  [Scrambled e, es, psk]                    |
         |------------------------------------------->| (Session Instantiation)
         |                                            |
         |                     [Scrambled e, ee]      |
         |<-------------------------------------------| (Transport Key Split)
         |                                            |

5. Spectral Frame Padding (Adaptive Alignment)

To counter traffic profiling through Packet Length Analysis (PLA), the protocol utilizes a discrete adaptive alignment system. Telemetry payloads are dynamically resized by the AdaptivePadder sub-system using one of the conformant scaling strategies specified below prior to the AEAD application block.

5.1 Scaling Strategies

  1. Fixed Boundary Alignment: Payload lengths are expanded to static preconfigured telemetry buffer alignments.
  2. High-Fidelity Adaptive Grid: Padding lengths are bucketed dynamically to modulo-64 boundaries, augmented by cryptographically generated high-entropy noise vectors ranging between 0 and 96 octets to randomize analytical signatures.
  3. Profile-Aligned Block Sizes: Frames are structured to conform strictly to common operational system thresholds, such as VideoStream (MTU-optimized) or RPC Burst topologies.

5.2 Data Padding Composition

Conformant implementations MUST fill designated padding regions with true cryptographic randomness derived from an OS-provided entropy pool (e.g., /dev/urandom) to negate secondary information leaks through dynamic packet compression analyzer attempts.

6. Multiplexing Geometry

The protocol supports internal transport pipeline splitting, defined as the capability to host multiple logically separate Noise sessions over a singular physical local socket descriptor. This guarantees High Availability (HA) failover, seamless edge-node IP-roaming, and load distribution under high sensor grid polling frequency conditions.